Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

I’m guessing it’s the common suspects, mostly open source tools bundled together with a nice interface or some batch scripts.

‘Internet History’ – I bet it only works if they use Internet Explorer (history.dat anyone?) and not Firefox with caching turned off.

But then with USB pen drives going up to 8-16gb nowadays you could fit almost a full set of Rainbow Tables for common characters.

Brad Smith, Microsoft’s general counsel, described COFEE in an interview.

“It’s basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you’re a law enforcement official and let’s say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that’s encrypted, and you’ve got that information off in order to have a successful investigation and prosecution.

“In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They’d have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information.”

A MS rep has confirmed that the kit is a compilation of publicly available forensics tools and it does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret ‘backdoors’ or other undocumented means.

Roger: Perhaps we got the idea from Microsoft General Counsel Brad Smith who acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said. RTFA.

gul: No one really knows…apart from MS and the people who have a copy of the software.

Well, I think Brad was pretty clear in the interview you cite:
“These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”
We are doing a lot of things with Law Enforcement – mainly aroudn training them how to do forensics. This becomes especially important in areas like Africa or other developing countries.
Roger

I’ve talked to a couple of people who have used the tool. It was just in passing, and the conversation didn’t get in depth at all, however the gist of the conversation was that the tool was crap. Well, maybe crap is an exaggeration. But, for anyone who really is involved in forensics, making your own thumb drive is the way to go. It’s all about using the tools you’re familiar with and trust. I’m not entirely sure, however, I do think that the tool did have some Microsoft programs on there. But, some of the tools, or implementations of the tools might work on only certain OS’s. (XP but not Vista). Not sure which tools though. Could be something like dd being used for dumping physical memory. As far as I know it’ll work on XP but not on Vista (at least my most recent Helix disc didn’t do it on Vista). But yeah, as for the COFEE tool, from what I’ve heard from people in the forensics field, it’s just like any other Microsoft product. Good for Microsoft on making an effort and putting out a product like this, but it’s a bad implementation and most people can do a better job on their own. IMO

Although its a couple years old this sourceforge project is probably a similar tool. This tool can be modified to include other portable apps and can be easily ran off a USB with most modules working flawlessly. I do not know what happened to the development of this tool but it would be cool if someone continued it. Rpier – Intel(R) Regimented Potential Incident Examination Report (RPIER) is a 1st handlers tool used to obtain volatile information from Windows OS computer systems.

Roger: That’s somewhat laughable as ONE person made this toolkit and it’s made from freely available (probably open source) tools. I don’t see this being a huge R&D product or MS developed software being released to the community. I’d prefer to get my forensics training from Encase, last time I looked MS wasn’t a pioneer in the forensics industry.

Doey6: I agree most (myself included) have their own forensics toolkit gathered from tools that work and get the job done.

Randy: That’s cool, I’ll check it out. I have something similar, boot CDs are fine for post analysis but when you want to dump the RAM etc before shutting down a machine USB is the way to go (well it was floppy disks in the old days).

Well, again, I was probably not clear: He did not say “this is something we invest” but “these are things we invest”. If you look at what we do for LE, this is a significant investemt. There are tools which help LE to coordinate on Chiled Exploitation cases and so on – there is much, much more than I am willing to write down here in this box (but we can have a discussion on this if you wish – I am happy to invest some time and blog on it).
With regards to the tool: the basic target was and still is the LE Office doing a house search not being a deep forensic specialist as you all seem to be. I agree that a forensic speciallist being called to a hacking scene has his own tools. This is not the focus on that. But a police officer doing a house search: it is probably better to have an automated script rather than a checklist of what he has and can do.
It is interesting to me that a lot of people attack us for the quality of a tool we did for LE and LE is very interested in using it……
Roger

I don’t know if USB is the right way to go when dumping memory, running an application from USB will overwrite some memory. A better solution would be to use the firewire attach that has been discussed all over the net recently.
The use of a usb based toolkit suggests to me a degree of covertness is being employed. Usually, law enforcement is a very overt function when it comes to forensic imaging and capture.

So much about “trust” for MS. They provide people with operating system and then they provide LE tools to screw us over. If that was just set of public domain tools why this tool is not available on their website?
But from the other hand until after they release SP1 for that “tool” it will be probably useless :)

Hey Jerk ! Screw whom over? As long as the “good” guys – assuming they all are (a big assumption) – are the ones that have it, so what? Are you a criminal? The only reason we have laws and cops is that human beings aren’t by and large civilized (or particularly intelligent) creatures. If we were civilized, we would need neither laws or cops.

There’s a lot of ifs, and and buts, but this stuff isn’t anything new. Both the good guys and the bad guys have all this stuff already, so what’s the big deal. This is all just stuff you can browse around and find. Microsoft isn’t screwing anyone, and if this does help to curb some of the world’s uncivilized inhabitants, I’m all for it.

A friend of mine’s step son does covert work for the government (he’s ‘009.5’ or something), and the word I got is that the Feds have PGP and TrueCrypt, etc hacked. They don’t do it by brute force. They use smarts. ‘You have no privacy, get used to it ” as some computer industry guy once said. If you need the kind of privacy that requires that level of security, you should rethink your life. Become civilized.

Well I do not know I am criminal or not (I’d like to think I am the good guy) but in a situation where everyone is looking for terrorists and having (or reading) wrong stuff in a wrong time on your PC may result in one being thrown in a prison (or like in the big wise democracy: Guantamo).
So… yes I am worried that MS provides tools to LE guys (it’s like the guy that replaced your front door lock give a key to your local LE guy – would you like that? )
have you seen that stuff they provide, have you got anything more than just gossip?

Roger: No one is attacking, simply questioning. That’s why it pays to avoid being defensive and to be well informed. Would be interested to see more info on your blog.

Bogwitch: Agree, Firewire is a better solution than USB due to the way it can directly address memory…still many older and cheaper machines don’t have Firewire ports. Personally I do live assessments with a CD as I find read only media the safest

eM3rC: Yah we removed the maths thingy and put some other protection in place that doesn’t require user action (combination of JavaScript and Cookies).

Surely someone could get backtrack or nUbuntu onto a usb thumbdrive that would be much better than this drive, they both have thousands of tools, and a full OS to back them up with major TCP/ip access without the hack that is the nt tcp/ip stack.
PS fix the site so that I can browse it using NoScript, it took me several attempts to post this, all greeted with please enable cookies and javascript; you guys are allowed in noscript, so I have no idea why it didn’t work on my laptop.

@Darknet
Thanks for doing that! It was always a pain reentering posts because of that anti-spam feature.

As for the security issue, I stumbled upon a very interest 2600 article in their most recent issue. Using a copy of Knoppix (the live CD) and a removable hard drive/USB key one can gain access to any computer as long as the bios is configured correctly. Basically all you have to do is run the live OS, access the windows hard drive through Knoppix and simply copy and paste the files onto the removable hard drive. No passwords required. Only requirement is the removable hard drive is formatted in FAT32.

Just thought I’d recommend a good program for those of you on a computer that you can log into and can run .msi/.exe programs.

Its called SIW.

This program will basically tell you about every aspect of the computer including saved password, registry keys used for all the software, WEP/WPA keys, hardware, etc etc. You get where I’m going with this.

Let me ask the silly question….Would this be a good tool for the beginner because reading all of the comment it might have goods and bads….How did you learn,I fell on my but sometimes before succeding and I think most of us have.I am not an expert but a newbie that is still filtering and is loking for good training and if the case be falling software.I am reluctant to say good or bad but is it something we can learn from so we dont make up tools that are not the best in the land.

You know if I continue to listen to all here I will learn faster than any program,no one holds back excellant setup Darknet thanks

Hmm helix looks good akin to Knoppix STD (There was a good distro, shame it hasn’t been updated much), I’ll have to give it a go. I remember I posted on this ages ago with my Changlinn moniker, I changed to my real name as there is no point, I am the only one that uses Changlinn so it is easy enough to trace back to me.
I saw some of these windows tools, they are horribly crippled compared to their OSS counterparts. Netmon, pahlease give me wireshark and libpcap capable routers anyday.